splApache-2.0from splunk/security_content
Windows Firewall Rule Added
This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log. Firewall rule modifications can indicate legitimate administrative actions, but they may also signal unauthorized changes, misconfigurations, or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms. By analyzing fields like RuleName, RuleId, Computer, and ProfileChanged, security teams can determine whether the change aligns with expected behavior. Correlating with user activity and process execution can help distinguish false positives from real threats, ensuring better visibility into potential security risks.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_firewall_rule_added.yml
`wineventlog_security` EventCode=4946
| stats count min(_time) as firstTime max(_time) as lastTime
BY RuleName signature subject
status dest ProcessID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_firewall_rule_added_filter`